marketstack
Pass
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill implements a secure integration pattern by utilizing the Membrane platform for authentication, which eliminates the need for handling sensitive API keys directly within the agent's environment. It follows best practices by instructing the agent to never ask for user secrets.
- [EXTERNAL_DOWNLOADS]: The instructions require the installation of the
@membranehq/clipackage from the official npm registry. This is a standard dependency for using the vendor's service. - [COMMAND_EXECUTION]: The skill uses local shell commands via the
membraneCLI to interact with external services. This includes managing connections, searching for actions, and executing API requests. - [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it ingests data from the Marketstack API which is then processed by the agent.
- Ingestion points: Data retrieved through
membrane action runandmembrane requestcommands as described in SKILL.md. - Boundary markers: Not present in the integration instructions.
- Capability inventory: The skill can perform various API actions and arbitrary proxy requests as seen in the command definitions in SKILL.md.
- Sanitization: No sanitization or data validation is specified for the external API outputs before they are presented to the agent.
Audit Metadata